Ah, summer. Time to kick back a little and enjoy the long days and warm weather. Uh, well not so much if you're an information security professional. There's never any respite from the seemingly endless stream of new software vulnerabilities and patches to apply.
Already in June, we had a bumper crop of patches from Microsoft, which coincided with a flaw in Adobe's Flash Player, Reader, and Acrobat products. Plus, attackers quickly exploited a zero-day vulnerability in the Windows XP Help and Support Center component, which was disclosed by a Google engineer (and unleashed a renewed debate over responsible disclosure, a whole other topic we won't rehash here). Of course, the bad news wasn't limited to commercial software. AT&T made headlines for all the wrong reasons with its poor Web application security that was uncovered by a small security research firm and exposed the email of thousands of iPad 3G users.
The industry has preached the need for software security and secure coding for several years now. After all, if software is designed securely from the start, it means a lot less problems down the road. In the commercial software realm, Microsoft certainly has made strides in improving the security of its software, and Adobe has finally seen the light with its implementation of a secure development process. However, Microsoft's monthly security bulletins combined with quarterly security patches from Oracle and Adobe continue to require labor and expense in the enterprise.
At an (ISC)2 conference on software security last month in Fremont, Calif., attendees were asked how insecure software has impacted their organization. Twenty-six percent ranked staff hours spent on installing patches or remediation as the top impact. Interestingly, the majority (56 percent) ranked reputation damage due to breaches as having the biggest impact.
During a panel discussion, participants raised -- and quickly dumped -- the notion of a something like a Good Housekeeping Seal for software. The general consensus: A lab can certify a toaster oven, but certifying software that's used in so many different ways and in multiple environments is impossible.
A big part of the problem, says Max Rayner, former CTO at travel deal publisher Travelzoo and a panelist at the (ISC)2 conference, is the lack of security training for programmers. "For decades, we've taught people how to code, but not necessarily how to code securely," he says.
The industry continues to tackle the problem of insecure software with several initiatives, including the Building Security in Maturity Model (BSIMM), which offers a model drawn on security practices of 30 firms, and the Software Assurance Forum for Excellence in Code (SAFECode), which aims to advance software assurance methods. SAFECode, which has a membership that includes Microsoft, Adobe and Symantec, recently released a paper that provides guidance for reducing risks in the software supply chain. (ISC)2, provider of the CISSP program, now offers a certification in software security.
Hewlett-Packard says it's developed a methodology for reducing the risk of security flaws in software, which it's used in-house for more than six years and recently made commercially available. The idea is to perform a threat analysis of an application's architecture, before a single line of code is written, and save money on corrections required by penetration tests and other security tests.
The need for secure software becomes only more critical with cloud computing, says Chris Whitener, chief security strategist for HP Secure Advantage. "If we can't trust some of the foundations that the cloud is built on, the whole thing starts to fall apart," he says.
Of course, flaw-free software isn't possible. But with cloud computing drawing intense interest in the enterprise and financially-motivated attackers always on the hunt for holes to exploit, we need a laser-like focus on software security. We can't afford to take our eyes off the ball even during the dog days of summer.
Marcia Savage is editor of Information Security. Send comments on this column to [email protected]